What is AWS IAM: Working, Components, and Features Explained

What is AWS IAM

Amazon Web Services (AWS) cloud offers a secure platform for users to deploy their applications. AWS security offers a higher level of data protection than an on-premises environment and at a lower price to its users. Although there are many security services available, Identity and Access Management (IAM), is the most popular. AWS IAM service allows you to securely control your access to AWS resources and services. You can manage amazon identity and access management users, groups, and permissions.

Let’s begin the AWS IAM tutorial with understanding AWS security.

What is AWS Security?

AWS Cloud Security is the top priority. Hosting your environment in the cloud means that you can rest assured that it is hosted in a secure data center or network that meets the security requirements of sensitive organizations. This high-level security is also available on a pay-as-you-go basis. It is much cheaper than an on-premises environment.

Although there are many security services, AWS uses a few of the most popular ones.

  • IAM
  • Key Management System (KMS)
  • Cognito
  • Web Access Firewall (WAF)

In this tutorial, we will deal with IAM.

IAM allows you to securely manage your access to AWS resources and services. You can either create groups or deny access to certain servers by using IAM.

Why IAM?

Prior to AWS and IAM, passwords were shared insecurely in corporate environments via email or over the phone. There was often only one administrator password, which was usually stored in a specific location or reset by one person. You had to call that person to get the admin password over the telephone. This was not secure as anyone could easily walk in and steal your password and access to your information.

We now have a safer communication tool: Slack, a third-party app that is hosted on AWS. It allows people to share documents through the application, so eavesdropping can be eliminated.

Let’s now look at the AWS IAM tutorial.

What is IAM?

AWS Identity and Access Management is a web service that securely controls access to AWS resources. You can use it to control access to your AWS resources and to create services that allow you to authenticate users.

How Does IAM Work?

These six elements make up the IAM workflow:

  1. A principal is an entity that can perform actions on AWS resources. Principals can include users, roles, and applications.
  2. Authentication refers to the verification of the identity of the principal who is trying to access AWS products. To authenticate, the principal must supply its credentials or key.
  3. Request: A principal requests AWS to perform an action and determine the resource that should be used.
  4. Authorization: All resources are automatically denied by default. IAM will only authorize a request if the matching policy allows all of the requested parts. AWS authorizes the action after authenticating and authorizing it.
  5. You can view, create, edit, or delete a resource using actions.
  6. Resources: A series of actions can be taken on any resource that is related to your AWS account.
    In the next section, we will explore IAM components in the AWS IAM tutorial.

Components of IAM

IAM also has other components. The user is the first component of IAM. Many users make up a group. Policies determine whether or not to allow a connection. AWS IAM Roles can be used to temporarily access an instance.


An IAM user can be defined as an identity that has a credential and permissions associated with it. This could be a person that is actually a user or an application that is. You can secure manage AWS access with IAM by creating an IAM username for each employee within your company.

Each IAM user can only be associated with one AWS account. A new user cannot perform any actions in AWS by default. One-to-one user specifications have the advantage that each user can be individually granted permissions.


An IAM group is a collection of IAM users. IAM groups can be used to assign permissions to multiple users. This allows you to apply any permissions to the group to individual users. It is easy to manage groups. The permissions you set for the group are applied automatically to all members of the group. When you add another user, all policies and permissions that were already given to that group will be automatically transferred to them. This reduces the administrative burden.


An IAM policy controls permissions and access to AWS resources. AWS stores policies as JSON documents. Permissions define who can access the resources and what actions they are allowed to perform. A policy might allow an IAM user access to one of the buckets on Amazon S3. This information would be included in the policy:

  • Who can have it?
  • What actions can a user take?
  • What AWS resources can users access?
  • They are accessible when they are.

There are two types: inline and managed policies.

  1. A managed rule can be attached to multiple entities in your AWS account (users/groups, roles). Managed policies can be either AWS-managed (or customer-managed) and are standalone
  2. identity-based policies that are attached to multiple users or groups.
    Inline Policies policies you create and embed directly in a single entity (users, groups, or roles).


An IAM role refers to set permissions that determine what actions can be allowed or denied by an entity using the AWS console. It can be accessed by any entity, whether it is an individual or AWS service. Role permissions can be temporary credentials.

You might allow your mobile app to access AWS resources but not permit it to save your key, credential, or password. You might also want to grant access to resources to someone who has an existing identity outside of AWS. For example, a user with Google or Facebook authentication.

Roles can also be used to allow someone to access your account resources or provide a service. A third party such as an auditor or consultant might also be granted temporary access to your account. They are not permanent users. They have temporary access to your environment.

Let’s take a look at IAM in the next section of the AWS identity and access management tutorial.

Features of IAM Service

Here are some key features of IAM.

  • Shared AWS access. You can create usernames and passwords that are unique for each user or resource, and also delegate access.
  • Granular permissions. Restrictions may be applied to requests. You can, for example, allow the user access to information but restrict the user’s ability to modify it through policies.
    Multifactor authentication is (MFA) where users enter their username and password, along with a unique password they received from their phone. This random number acts as an additional authentication factor.
  • Identity Federation. IAM can trust an authentication method that the user has already used, such as a Facebook account or Google account. This will allow IAM to grant access based on that authentication method. This allows users to keep one password for both cloud and on-premise work.
  • Free uses. No additional charges for IAM access security. Additional users, groups, or policies can be created at no additional cost.
  • PCI DSS conformance. The Payment Card Industry Data Security Standard (PCIDS) is an information security standard that applies to organizations that deal with branded credit cards issued by major card companies. IAM is compliant with this standard.
  • Password policy. You can reset or rotate passwords remotely using the IAM password policy. You can also create rules such as how users should choose a password and how many attempts they may make before they are denied access.

Let’s look at the final section of the AWS IAM tutorial. This will show you how to create an S3 account using multifactor authentication (MFA).

Create an S3 Bucket Using the MFA Feature

This article’s final section combines all the information and solves a basic problem.

Problem statement. To create an S3 bucket in which every user can read and write data using multifactor authentication.

Task: To set policies and give permissions to a user or group.

  • Give access (read and/or write) to the developer group.
  • Set a policy that allows a user to either read or deny permission to write objects in an S3 bucket.

This is a great use case for sensitive data stored in S3 buckets. You want to restrict access to the buckets to MFA-authenticated or privileged users. Multifactor authentication would be enabled for those privileged users.

Conclusion – AWS IAM tutorial

This AWS IAM tutorial will give you an overview of AWS security features and IAM. Amazon Web Services provides many remote computing services, in addition to security services. AWS Cloud adoption is increasing worldwide. This will create a demand for specialists who are well-versed in AWS services and principles.

You May Also Like

About the Author: The Next Trends

Leave a Reply

Your email address will not be published.